Chain of exploits could be triggered without any authentication
The new bug, discovered and reported by researchers at Sonar, allowed attackers to manipulate the code in the Blitz.js app to create a reverse shell and run arbitrary commands on the server.
Prototype vulnerability in dependencies
“Blitz.js is an upcoming JS framework that gained traction on GitHub,” Paul Gerste, vulnerability researcher at Sonar, told The Daily Swig. “We selected it in order to help secure its code base and study real-world vulnerabilities.”
Blitz is built on top of Next.js, a React-based framework, and adds components to turn it into a full-stack web development platform.
One of the advertised features of Blitz.js is its ‘Zero-API’ layer, which allows the client to invoke server-side business logic through simple functions without the need to write API code.
Blitz.js makes an RPC call to the server in the background and returns the response to the client function call.
“Blitz.js adds an RPC layer on top of Next.js (among other features), and that layer uses superjson to deserialize data from incoming requests. The vulnerability is entirely inside of superjson,” Gerste said.
As an extended version of JSON, superjson adds support for dates, regexes, and circular dependencies. The circular dependency feature allows JSON specifications to reference property names, which caused the prototype vulnerability. An attacker could use these property names to change the running code on the server.
RCE on Blitz servers
Gerste discovered a chain of exploits that could be triggered through the prototype pollution vulnerability and lead to RCE.
The attacker could use this function to launch a CLI process and run an arbitrary command on the server.
Prototype pollution in Blitz.js (Image: sonarsource.com)
What makes this vulnerability especially dangerous is that it can be triggered without any authentication, which means any user who can access the Blitz.js application will be able to launch RCE attacks.
“An attacker would have the same level of privilege as the vulnerable application,” Gerste said. “So, if the application runs as root, the attacker would also have root privileges.”
Prototype pollution bugs often act in very complicated ways. For example, in the case of Blitz.js, the CLI wrapper object was not vulnerable per se but could be abused by the prototype pollution bug.
“This attack technique leverages a code pattern that isn’t a vulnerability in itself,” Gerste said. “Prototype pollution can influence the target application in a very invasive way, and it would require a lot of work to get rid of all code that could be influenced by prototype pollution.”